Changing Battle Tactics

Copyright 2010
TrustCC ITAudit, SecurityandBCP
byTomSchauer
CISSP,CISA,CISM,GCIH,CTGA CEOofTrustCC
Agenda
BackgroundandIntroduction SMBHacksandOnlineBankingFraud SocialNetworkingDeception MFP:MultiFunctionPeripheralorMadefor exPloitation PatchManagementorPatchMayhem HackersforHire
Copyright 2010, TrustCC.
AllRightsReserved.
IntheWorldofNetworked ComputersEverysociopathis yourneighbor!
AllRightsReserved.
Check usoutatwww.trustcc.com!
Copyright 2010
ChronologyofDataBreachessince2005
500 Million Sensitive Records Breached Since 2005

The most recent total from the Privacy Rights Clearinghouses Chronology of Data Breached shows more than a half billion sensitive records breached since 2005, leaving Americans vulnerable to identity theft. Employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online the Chronology of Data Breaches shows hundreds of ways that the personal information of consumers is lost, stolen or exposed. The Chronology of Data Breaches, a project of the Privacy Rights Clearinghouse since 2005, lists incidents involving breached consumer information, such as personal medical records, credit card numbers and Social Security Numbers. The most recent total, published August 24, 2010, is a wake-up call to consumers who think identity theft cant happen to them. The Privacy Rights Clearinghouse estimates that the Chronology shows only a fraction of the total number of data breaches.
510,528,937 RECORDS BREACHED

From 1,714 DATA BREACHES made public since 2005
AllRightsReserved.
AllRightsReserved.
AllRightsReserved.
Copyright 2010
AllRightsReserved.
CyberCrimeexceedsDrugTrafficking
AllRightsReserved.
AllRightsReserved.
Copyright 2010
LostLaptopsandMobileMedia
AllRightsReserved.
WirelessTechnologyRisks
AllRightsReserved.
HouseSitesHacked
AllRightsReserved.
Copyright 2010
AllRightsReserved.
AllRightsReserved.
OnePWforEverything
AllRightsReserved.
Copyright 2010
Spam,SpamandmoreSpam
AllRightsReserved.
IsMacmoresecurethanWindows?
AllRightsReserved.
Vishing,Phishing,OhMy
AllRightsReserved.
Copyright 2010
PhishingeMail
AllRightsReserved.
Botnets
authoritiesinSpain announcedthebreakupof amassivebotnetcalled Mariposa,comprising morethan12million infectedPCsin190 countries.

USAToday
AllRightsReserved.
SecurityPopUpAds
AllRightsReserved.
Copyright 2010
BeingSecure
AllRightsReserved.
SecuretheRightThings
AllRightsReserved.
CustomersSuingBanks severalcases
AllRightsReserved.
Copyright 2010
KeyPointsintheFraud
1. Firstthebusinessiscompromised(web,email,botnet) 2. Credentialsstolenandusedtocommitfraud 3. TheBusinesssview

1. 2. 3. 4. 5. 6. FraudcomesfromnonlocalIP Simultaneouslogins Unusualamountsandtiming Noverificationprocedures OtherFis domore Youdidntwarnme
AllRightsReserved.
AllRightsReserved.
TrustCCs EFTFraudRecommendations
1. Offerstronganddynamicauthentication 2. Contractuallyadvisecustomersoftheneedtocomplywith securitybestpractices 3. Educatecustomersaboutthreatandcontrols 4. RecommendaSecuritySelfAssessmentandencourage customerstoremediateidentifiedsecurityweaknesses 5. Monitorregularlytodetectunusualactivity OurTrustED BriefingandSelfAssessmentoffers unprecedentedhelptoFinancialInstitutions.
AllRightsReserved.
Copyright 2010
AllRightsReserved.
SocialNetworkingRisksandReward
For many people, social networking has become as much of a daily routine as brewing coffee and brushing teeth. IT administrators dislike it and cyber crooks depend on it. Bill Brenner
AllRightsReserved.
SocialNetworkingAdvantages
Sustainexistingrelationships Getconnectedtoothers Findtalentinthetrenches Viralmarketingonthecheap
AllRightsReserved.
10
Copyright 2010
AllRightsReserved.
AllRightsReserved.
Buttheindividualmight
Misrepresent Befooled Wastetime Installmalware
AllRightsReserved.
11
Copyright 2010
Whataboutanemployeesaccount?
AllRightsReserved.
WhoisChipConley?
AllRightsReserved.
ImposterProfiles
Assumingtheidentityofaprominentpersoninan organizationandthenfriendingasmanypeople aspossible. Assumingtheidentityofanattractiveand availablepersonwhoworksatatargeted organization,thenworkthenetwork.
AllRightsReserved.
12
Copyright 2010
ChallengeResponseQuestions
Whatpercentageofonlinebankingchallenge responsequestionscananswersbefoundonthe net?

Whatyearwasyouroldestchildborn? Whatwasyourfavoritesportinhighschool? Whatwasyourfirstcar?
AllRightsReserved.
AnotherDEFCONContest
Oneofthemoreinterestingeventsatthisyear'sDefcon hackerconferenceinLasVegaswasasocialengineering contestthattargetedbigcompanieslikeMicrosoft,Google andApple.Participantspretendingtobeheadhuntersand surveytakerswereabletotrickemployeesatthecompanies intogivingoutinformationoverthephonethatifitlandedin thewronghandscouldbeusedtosneakmalwareonto machinesatthecompanyorotherwisegetaccesstothe company'sdata.
AllRightsReserved.
Poll
Whatconcernsyoumostaboutsocialnetworking?
A)impacttoproductivity B)Informationleakage C)Misrepresentation D)Malwaredistribution E)Alloftheaboveandmore
AllRightsReserved.
13
Copyright 2010
HowtoDoSocialMedia
EstablishGoals SetupaWeb/MediaAdvisoryCommitteewith someofyouryoungertechsavvystaff. EstablishSocialMediaPolicies Determinewhowillhaveaccesstosocialmedia fromtheworkplace
AllRightsReserved.
AdministrativeControl
HaveaPolicythatisappropriateforyour environment. HaveanAcknowledgementandAcceptanceof Policy ProvideTraining MonitorSocialMediaSites HaveanIncident/CrisisResponseTeam
AllRightsReserved.
TechnicalControls
BlockaccesstowellknownSNsitesby unauthorizedindividuals Ensureantimalwareiseffective Ensuresystemsarealwayspatched Dontallowgeneralemployeestobelocal administratorsontheircomputers(Win7) Monitoronlineactivities
AllRightsReserved.
14
Copyright 2010
MultiFunctionPeripheralorMadeforexPloitation
IneedanothermeaningfortheacronymMFPconsidered madeforpenetrationbutitsoundsxrated. WhatdoMFPs doforHackers? MFPharddrivesstorepreviouslyprinteddocuments MFPs likelyhavealocaladministratoraccountthatcould havethesamepasswordasothersystems MFPs canberootedandthenmadetophonehome
AllRightsReserved.
PrinterPopping
WearepoppingPrintersatabout85%ofourclients. Inonerecentcase,aprinterwasallwegot.Itledto LocalAdmin,thenanadministratorsbox,thenakey strokelogger,thenDomainAdmin! GameOver!
AllRightsReserved.
PatchManagementorPatchMayhem
MicrosoftreleasesOutofBandupdatesasfrequentlyas LindsayLohan goestojailordrugrehab. StandardMicrosoftPatchingToolssuchasWindowsServer UpdateServices(WSUS)regularlyprovidefalsereporting. Someupdatesreintroducepreviouslypatched vulnerabilities Microsoftupdatesarejustonebrandofthemanyupdates thatareneeded:Adobe,Cisco,Symantec,BackupExec,etc Somevendorsareresistantorlatefordinnerwhenit comestopatchsupport
Copyright 2010, TrustCC. AllRightsReserved.
15
Copyright 2010
88isabignumber
AllRightsReserved.
Everysystemneedsupdates
AllRightsReserved.
Solutions
Subscribetoeverypatchreleasefromeverypiece ofsoftwareyouown(oroutsourcetoHEIT) Evaluateallreleasedupdatesforapplicability Testwhenyoucanyetdeployexpeditiously RunNessus oranequallyeffectivepatch verificationutilityonaveryregularbasis Holdvendorfeettothefire.Berelentless. UseourHardeningStandards
AllRightsReserved.
16
Copyright 2010
AllRightsReserved.
HackersforHire Why
GLBAsaysRegularlytestthekeycontrols, systemsandproceduresoftheinformation securityprogram.Thefrequencyandnatureof suchtestsshouldbedeterminedbythecredit unionsriskassessment.Testsshouldbe conductedorreviewedbyindependentthird partiesorstaffindependentofthosethatdevelop ormaintainthesecurityprograms.
AllRightsReserved.
KeyControls
Also, Note the format of the table specifically meets GLBA ISRA Guidelines.
AllRightsReserved.
17
Copyright 2010
Whoshouldyouhire?
FFIECsays History, Reputation,References, Experiencedwith ControlsandFinancial Institutions,Capability, Certifications,Insured, InternalControls, Current,Financially Sound,Compliant,etc
AllRightsReserved.
WhatShouldYouTest?
Whatareyourkeycontrols?
Physical Administrative Technical
Youwilllikelyneedavarietyofskillstotestallkey controls.Forexample,isyourpentestingfirmthe rightgrouptotestyourfireextinguishersor alarms?Probablynot.

Copyright 2010, TrustCC. AllRightsReserved.
BoardGovernance
MoreExaminersarelookingtotheBoardorasubcommittee tocarefullyoverseetheinformationsecurityfunction.Yetthe followingchallengesexist: 1. MostBoardmembersarelesstechnical 2. MostBoardsarepreoccupiedwithbankingmatters 3. MostBoarddislikegovernanceandcompliance 4. ThefutureofyourFinancialInstitutioncouldlieinthe handsofyourRegulator
AllRightsReserved.
18
Copyright 2010
TheBuckStopsHere!
PerformBoardTrainingon: 1. GLBA 2. RiskAssessmentCulture 3. FFIECExamGuidance 4. BCP
AllRightsReserved.
SampleOnePageSecurityReport
AllRightsReserved.
ATMInsecurity ShouldIbeConcerned?
Youshouldbeconcernedif:
YourunTritonorTranex ATMs YoudontphysicallyinspectyourATMseveryday YouhavenotperformedaTR39review YoucannotspellATM YourATMsaremissingsecuritypatches
AllRightsReserved.
19
Copyright 2010
BarnabyJack
Duringwhat'sbeendescribedasadramatic displayattheBlackHatConference,BarnabyJack demonstratedhoweffortlesslyahackercould infecttwoATMs.
AndtheATMsspilledthecash!
AllRightsReserved.
ATMSkimmingEquipment
AllRightsReserved.
ATMPINManagement(TG3nowTR39)
IfaSTARMemberweretofailtocomplywithsuch requirementsandacompromiseweretooccurthatcould havebeenpreventedifthatSTARMemberhadbeen compliant,STARwillholdthatSTARMemberliableforthe resultantfraudlossesincurredbyeachotherparticipantin theSTARNetwork. EachSTARMembershould,therefore, continuetoconductaperiodicreviewofitsenvironmentto ensurethatitandanythirdpartyactingonitsbehalfis compliantwithSTARsecurityrequirements.
TR39looksatphysical,administrativeandtechnicalsecurity requirementsandcouldpreventskimmingandotherATMfraud.
AllRightsReserved.
20
Copyright 2010
TR39ReviewQuestions
Doyouhavewrittenproceduresthatyoufollow thatprovidefortheremovalofKeysfromanATM whensendingtheATMforservice? Doyouhavefulldualcontrolandseparate knowledgeforallKeycomponentsinallstagesof thekeylifecycle? DoyoudoublelengthKeysinyourATMs? DoesyourvendormaintainarecordofeveryKey managementactivity?
AllRightsReserved.
ATMsfrequentlyhavevulnerabilities
MissingCriticalSecurityPatches: IPAddress:10.137.190.250 System:MainBranchATM MS08067,MS06035,MS09001,MS06040
AllRightsReserved.
HelpYourCustomers/Members!
AllRightsReserved.
21
Copyright 2010
AllRightsReserved.
AllRightsReserved.
ContactUS!
AllRightsReserved.
22
Copyright 2010
TrustCC Resources
AllRightsReserved.
ReadOurBlog
AllRightsReserved.
QuestionsandConversation
TomSchauer tschauer@trustcc.com 253.468.9750 Callme,nochargeforgoodquestions!
AllRightsReserved.
23

Changing Battle Tactics

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Changing Battle Tactics

Hochgeladen von

Copyright:

Verfügbare Formate

Copyright 2010

TrustCC ITAudit, SecurityandBCP

BackgroundandIntroduction SMBHacksandOnlineBankingFraud SocialNetworkingDeception MFP:MultiFunctionPeripheralorMadefor exPloitation PatchManagementorPatchMayhem HackersforHire

Copyright 2010, TrustCC.

IntheWorldofNetworked ComputersEverysociopathis yourneighbor!

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

500 Million Sensitive Records Breached Since 2005

510,528,937 RECORDS BREACHED

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

authoritiesinSpain announcedthebreakupof amassivebotnetcalled Mariposa,comprising morethan12million infectedPCsin190 countries.

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

1. Firstthebusinessiscompromised(web,email,botnet) 2. Credentialsstolenandusedtocommitfraud 3. TheBusinesssview

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Sustainexistingrelationships Getconnectedtoothers Findtalentinthetrenches Viralmarketingonthecheap

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Misrepresent Befooled Wastetime Installmalware

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Assumingtheidentityofaprominentpersoninan organizationandthenfriendingasmanypeople aspossible. Assumingtheidentityofanattractiveand availablepersonwhoworksatatargeted organization,thenworkthenetwork.

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

Whatpercentageofonlinebankingchallenge responsequestionscananswersbefoundonthe net?

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

Copyright 2010, TrustCC.

TrustCC ITAudit, SecurityandBCP

EstablishGoals SetupaWeb/MediaAdvisoryCommitteewith someofyouryoungertechsavvystaff. EstablishSocialMediaPolicies Determinewhowillhaveaccesstosocialmedia fromtheworkplace